Meta

Month: May 2011

As you may have noticed (I hope :D) I have launched the redesigned of my blog. This is to coincide with the new address http://www.xpnsbraindump.com, and was long overdue. My hope is that I can now structure content in a way which is easy to find, and is less random.

I have also moved my social focus to the HAK5 irc channel rather than r00tsecurity. If you are interested in an active IRC channel with a varied array of topics, this is the place.

Recently I heard about the LastPass security issue that had been posted on their blog here

First, I should applaud LastPass in their open nature regarding ‘suspected’ security vulnerabilities. I believe that they have dealt with this issue well and in recent times, we all know of the issues that delaying security information can have (ahem *Sony*)

Saying that, today I came to re-install Windows 7 on my laptop, and installed the LastPass Chrome plugin. Trying to authenticate to my twitter account, I came across a problem, so I checked out the LastPass.com website for any updates, and was asked to enter my email address for an activation link to be sent.

It seems from the LastPass blog post that this is a temporary solution to mitigate the high volume of traffic that they were receiving of people resetting passwords.

This pointed out a huge issue for me: How could I log into my email’s to authenticate my LastPass account, when I couldn’t access LastPass to retrieve my email password?

Of course, there are other ways around this (such as using LastPass pocket or another locally stored LastPass database), but in a world Cloud Computing, where Amazon backs up your data, Google stores your blog, LastPass stores your security credentials, PayPal stores your finances, and Flickr stores your family photos, is our reliance on Cloud Computing not as fruitful as first thought?

For all of you listeners of pauldotcom’s security podcast, you may have heard about a recent technical segment on Weblabyrinth, a PHP program that tags itself as:

“A system that creates a bogus web structure to entrap and delay web scanners”

Basically, Weblabyrinth uses a .htaccess file to redirect non-existing page requests to itself, and then logs the access in a database and/or IDS. This helps administrators to identify anyone using an automated Web Scanner on their website.

Interested in anything that helps to add further security protection, and being a big fan of the show, I decided to check it out. After a bit of studying, it became apparent that there was a blatant SQL injection vulnerability present within the labyrinth.inc.php file.

I have logged a bug with the developers today to have these SQL injection attacks fixed, but it just goes to show that you should always be auditing scripts before deploying.

[ Edited 09/05/11 ]

Today I received an email from a Weblabyrinth developer confirming my security bug which will be fixed in version 0.3.2, I will update the post once this has been updated]

[ Edited 13/05/11 ]

It looks like the fix has gone live for Weblabyrinth 0.3.2 which fixes a SQL injection attack that I discovered:

$this->dbhandle->query("SELECT crawler_ip FROM crawlers WHERE crawler_ip='$ip' AND crawler_useragent='$useragent'");